Onboarding Devices in the Microsoft 365 Apps Admin Center

Published Jan 24 2022 08:48 AM 5,526 Views
Microsoft

The Microsoft 365 Apps admin center provides several cloud-based features to help you manage the Microsoft 365 Apps in your organization. Features such as Inventory, Security Update Status and Servicing Profiles deliver powerful insights about your Microsoft 365 apps, while helping to ensure they remain up-to-date and secure. If you are not familiar with the Microsoft 365 Apps admin center and the features mentioned above, take a few minutes to review the Roadmap to modern management for Microsoft 365 Apps. Additionally, check out the guided simulations for each of these features available here: Microsoft 365 Apps Management and Health Services.

 

Figure_001.png

 

In this blog post, we're going to take a closer look at how devices onboard to our inventory service within the Microsoft 365 Apps admin center. Successful onboarding is a prerequisite for reporting and update management. Once devices have completed onboarding, they will appear in inventory and their update compliance information will populate on the Security Update Status page. You will also have access to target these devices with a Servicing Profile to ensure they are on the correct update channel and receiving updates consistently with minimal effort.

 

Note: There are other features in the portal that operate independently from Inventory, Security Update Status and Servicing Profiles. We will not be covering these features in detail in this post but be aware that they do have their own requirements for device onboarding. For example, OneDrive Sync health requires you to setup a Tenant Association Key and Apps Health requires you to enable diagnostic data.

 

Breaking Down the Onboarding Process

 

Unlike other management tools, device onboarding with inventory does not require you to deploy any additional software or settings to devices. Instead, devices onboard automatically through a process referred to as auto provisioning. The following flowchart describes this process in more detail:

 

Figure_002.png

 

  1. Inventory is not enabled by default. An admin must first sign-in to the Microsoft 365 Apps admin center, select Inventory, and click Get started to begin the provisioning process. This is a one-time action and can take 15-20 minutes before the Insights dashboard is displayed. 
  2. Devices must meet the documented minimum requirements for inventory before they can onboard with the service. If they do not meet these requirements, auto provisioning will fail and retry later. 
  3. Inventory is populated by active devices. An active device is defined by the following criteria: 
    • Supported version of Microsoft 365 Apps installed. 
    • Connectivity to the config.office.com service. 
    • Licensed user signed in. 
    • Office app usage. 
  4. If items 1-3 pass, the auto provisioning process will complete successfully. 
  5. The Tenant Association Key (TAK) for your tenant is retrieved and stored locally on the device. 
  6. New Component Object Model (COM) objects are registered on the device – 1 for policy and 1 for inventory. 
  7. Office app inventory is collected and uploaded to the portal for review. 

Assuming all steps are successful, a device will typically appear in inventory within 60 seconds of an Office app being launched. In some cases, it may be necessary for an Office app to be launched more than once to initiate the onboarding sequence for the first time. This isn’t generally an issue in production, but it is worth noting for lab environments where testing is being done. 

 

Note: After you have enabled inventory for your tenant, keep in mind that all data is being retrieved for the first time. The number of devices reporting in will increase with user activity. Expect to see a large increase in numbers over the first 24 hours, and then tapering down as time goes on. Enabling inventory prior to a weekend or holiday may impact initial onboarding time. 

 

Step 1 - Enabling the inventory feature

 

Figure_003.png

 

The process for enabling inventory for your tenant is simple. If the feature has not been enabled, you will be presented with the Welcome page shown above. Once an admin clicks on Get started, the listed features will be provisioned for your tenant. This action only needs to be completed once.

 

Step 2 – Review the requirements for using inventory

 

Devices must meet a few basic requirements before the auto provisioning process can successfully complete onboarding. For the latest list of requirements, visit: Requirements for using inventory. Be sure that you have reviewed these items and taken the appropriate actions for your organization.

 

Step 3 – Monitor onboarding activity

 

You can monitor onboarding progress for your tenant by visiting the Inventory Insights page in the Microsoft 365 Apps admin center (shown below). As devices report in, the total under Data Insights will increase. Click on Show all devices to see a complete list of all devices that have onboarded.

 

Figure_004.png

 

From the detailed device list, you can apply sort and filter operations by clicking on the column headers. In the following example we have a filter applied to show devices that have checked in on or after Patch Tuesday. You also have the option to export these results to a CSV file. The export function will include records based on the applied filters. If no filters are applied, all records will be exported. 

 

Figure_005.png

 

Troubleshooting Onboarding and Inventory

 

Below are some of the most common troubleshooting scenarios that we hear about regarding device onboarding with the inventory service, along with recommendations for remediation. Before you move on, always start by reviewing the requirements for using inventory. We find that in most cases devices fail the onboarding process simply because they do not meet the minimum requirements.

 

  • Inventory is enabled but I am missing devices
    • If inventory was recently enabled (< 24 hours) and you are seeing a steady growth in numbers, give the service another 1-2 days and monitor.
    • Comparing device numbers in inventory with other tools can be a helpful way to track onboarding progress and overall coverage. However, keep these variables in mind:
      • Stale inventory records in the Microsoft 365 Apps admin center are dropped after 30 days by default. Tools like Configuration Manager have a default value of 90 days. 
      • Devices that are in use and active on your network will not appear in inventory unless the Office apps are installed and being used regularly.
      • Unmanaged / personally owned devices will appear in inventory. 
    • Microsoft 365 Apps with a version prior to 2008 are not supported with inventory.
    • Non-subscription versions of Microsoft 365 Apps are not supported with inventory.
    • Microsoft 365 Apps configured for viewer mode are not supported with inventory due to these apps being unlicensed.
    • Devices are failing to onboard because they are unable to retrieve the Tenant Association Key (TAK).
      • TAK retrieval failures are often due to devices not meeting the inventory requirements.
      • To confirm if the TAK has been retrieved, query the following registry key by opening a PowerShell prompt and entering the following command:

reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\cloud\office\16.0\Common\officesvcmanager"

 

The return output should have your TenantAssociationKey. If the value is not present, try signing out of your Office apps, closing Office completely, starting Word, and then running the command again.

 

If the TenantAssociationKey is still not present, please open a support case or use the feedback button to let us know.

 

  • Devices are disappearing from Inventory
    • Devices that have not communicated with the inventory service in 30 days (default) will be removed. Keep in mind that the device may still be on and in use by the user, but there has not been any Office app usage. To remediate, ensure the Office apps are being used on the device.

 

Frequently Asked Questions

 

Q: What permissions do I need to enable inventory for my tenant?

A: For more information on supported security roles, visit: Overview of the Microsoft 365 Apps admin center > How to get to the admin center.

 

Q: What information is collected when enabling inventory?

A: For more information on what data is sent to Microsoft for the inventory feature, visit: Data sent to Microsoft for the inventory feature in the Microsoft 365 Apps admin center.

 

Q: How long is inventory kept?

A: By default, device records are kept in inventory for 30 days. This can be extended up to 180 days by navigating to Settings > Inventory clean up. Devices send a heartbeat to the inventory service once a day. If a heartbeat has not been received in the defined range, the record will be removed. If the device comes back online and sends a heartbeat, the device will be re-added to inventory.

 

Q: Why do I see personally owned devices in inventory?

A: Inventory and the other features in the Microsoft 365 Apps admin center are designed to give you a complete picture of the Office apps connected to your tenant, regardless of device management state and domain membership. If a user signs into Office with an Org ID from your tenant, you can expect to see them listed in inventory.

 

Q: What is the Tenant Association Key?

A: The Tenant Association Key (TAK) is a JSON web token generated for your tenant and is listed in the Microsoft 365 Apps admin center under Settings. The TAK can be decoded using a JSON debugger, and in doing so will output your tenant ID and a unique app ID. The TAK is used to associate devices with your tenant. During onboarding, the TAK is retrieved through the auto provisioning process and stored locally on the device. The TAK will remain on the device as long as the Office apps continue to send a heartbeat to the management service. If Office app use stops for 14 days or more, the TAK is automatically removed for security, but will be retrieved again the next time Office runs.

 

Q: What does “Generate new key” do?

A: The Generate new key function is an option in the Microsoft 365 Apps admin center. This option can be accessed by navigating to Settings > Tenant Association Key. By default, your tenant will already have a TAK and any devices that have onboarded with the inventory service will be associated with that value. If you believe that your TAK has been compromised (e.g.: suspicious devices showing in inventory) or have a need to generate a new key (e.g.: directed through a support case), selecting this option will generate a new value. It is important to understand that in doing so, all communication to existing devices will temporarily be lost until the new key has been associated with those devices. Take caution and plan accordingly.

 

Share Your Feedback with Us

 

We value your feedback! As you navigate the Microsoft 365 Apps admin center and work with these features, share your thoughts with us by clicking on the feedback button in the upper-right corner. Send us a smile, a frown, or share a suggestion. The feedback you submit goes directly to our engineering team.

 

Figure_006.png

 

Continue the conversation by joining us in the Microsoft 365 Tech Community! Whether you have product questions or just want to stay informed with the latest updates on new releases, tools, and blogs, Microsoft 365 Tech Community is your go-to resource to stay connected!

4 Comments
Co-Authors
Version history
Last update:
‎Jan 24 2022 08:48 AM
Updated by: